Cloudflare Access — kiosk bypass setup
Why this exists
The whole portal at ops.hookstreetservices.com is gated by Cloudflare Access. That's correct for everything Sam + Mildred + Chanie use, but WRONG for the iPad family kiosk — kids should never have to log in, and the iPad shouldn't be tied to one Google account.
The fix: create a separate Bypass policy on the kiosk path only. Anyone hitting ops.hookstreetservices.com/family-kiosk.html (and any kiosk assets) skips auth entirely. Everything else stays gated.
5-minute setup
dash.cloudflare.com→ pick the account that ownshookstreetservices.com→ Zero Trust (or it'll redirect toone.dash.cloudflare.com).- Access → Applications → find
ops.hookstreetservices.com→ click it. - Top tabs → Policies → click Add a policy.
- Fill in:
- Policy name:Family kiosk - bypass
- Action:Bypass(very important — not Allow, not Block, Bypass)
- Configure rules: add Include → Everyone (or leave empty for "any user") - Save.
- Back on the application page → Path tab. Confirm the policy is path-scoped to
/family-kiosk.html. If the app is currently set to protect the entire host, you need to either:
- (Easier) Add a SECOND Access application that scopes ONLY to/family-kiosk.htmlwith the Bypass policy. The original app stays as-is for everything else.
- OR (cleaner) On the existing application, edit the Application Domain to be more specific, and add a new application for the kiosk path.
Easier path = make a new Access application specifically for ops.hookstreetservices.com/family-kiosk.html with the Bypass policy. Cloudflare evaluates path-specific policies before host-wide ones, so the kiosk URL gets bypassed and the rest of the portal stays gated.
What the result feels like
- iPad → Safari →
ops.hookstreetservices.com/family-kiosk.html→ kiosk loads instantly, no Google sign-in screen. - iPad → Safari →
ops.hookstreetservices.com/home.html→ still gated, prompts Google sign-in. - Sam's phone →
ops.hookstreetservices.com→ still gated.
Future kid-friendly URLs to add to the bypass
When new family-only pages get built (chore chart, family calendar print view, kid-specific dashboards), add them to the same Bypass policy:
- /family-kiosk.html
- /family-calendar.html (future)
- /chores.html (future)
- /treitels/* (if a subpath ever gets used)
Risks (and why they're acceptable)
- Anyone with the kiosk URL can view it — sample data only, no PII / no money / no queue.
- No write actions from the kiosk hit any sensitive system without going through ops-api which itself validates inputs.
- Voice transcripts go to /voice/speak which is unauthenticated by design (it's free CF Workers AI — no PII processed).
- The bypass only covers READ. Any write-action endpoints stay authenticated separately.
Reversal
To re-gate the kiosk later (e.g. you decide kids should each have their own Google):
- Zero Trust → Access → Applications → the kiosk app → delete OR change Action from Bypass to Allow + add the kids' Gmails.
- Takes effect within seconds.
Saved 2026-05-31 PM as part of the family kiosk v2 build.